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Abstract. In cryptanalysis, security of ciphers vis-a-vis attacks is gauged 
against three criteria of complexities, i.e., computations, memory and 
time. Some features may not be so apparent in a particular domain, and 
their analysis in a transformed domain often reveals interesting patterns. 
Moreover, the complexity criteria in different domains are different and 
performance improvements are often achieved by transforming the prob¬ 
lem in an alternate domain. Owing to the results of coding theory and 
signal processing, Discrete Fourier Transform (DFT) based attacks have 
proven to be efficient than algebraic attacks in terms of their computa¬ 
tional complexity. Motivated by DFT based attacks, we present a trans¬ 
formed domain analysis of Linear Feedback Shift Register(LFSR) based 
sequence generators. The time and frequency domain behavior of non¬ 
linear filter and combiner generators is discussed along with some novel 
observations based on the Chinese Remainder Theorem (CRT). CRT is 
exploited to establish patterns in LFSR sequences and underlying cyclic 
structures of finite fields. Application of DFT spectra attacks on com¬ 
biner generators is also demonstrated. Our proposed method saves on 
the last stage computations of selective DFT attacks for combiner gen¬ 
erators. The proposed approach is demonstrated on some examples of 
combiner generators and is scalable to general configuration of combiner 
generators. 
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1 Introduction 

LFSRs have been widely used for sequence generation due to their inbuilt re¬ 
cursive structure, faster implementations and well studied behaviour in diverse 
applications of communications, coding theory and cryptology. In cryptographic 
algorithms, the linear recurrence of LFSRs is modified by nonlinear filtering to 
achieve higher linear complexities and good statistical properties. Some of the 
classical schemes include filter generators, combiner generators, clock controlled 
generators and shrinking generators. The nonlinear function used in these gen¬ 
erators is a boolean function / : GF(2 n ) —> GF( 2) which takes l inputs 
from either an LFSR or from outputs of number of LFSRs and produces GF( 2) 
keystream sequence. LFSR based sequence generators serve as the basic building 
blocks for a number of e-stream submissions [T| and cellular algorithms i.e. A5 
series [5] and EO algorithm [B]. 
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In many scientific applications, it is common to analyze a problem in differ¬ 
ent domains because some characteristics of the involved parameters can only 
be better revealed in a particular domain. Moreover, the computational require¬ 
ments can be reduced as result of the analysis in some transformed domains. 
For instance, the prorogation characteristics of light or magnetic waves can be 
conveniently observed in frequency domain as compared to its equilvalent repre¬ 
sentation in time domain. A continous signal in time domain s(t) = cos{2 j nf c t) 
having infinite non-zero points once converted to frequency domain S(f) has 
only two non-zero frequency components i.e. f c and — f c . Similarly decoding of 
Block codes like Bose, Chaudhuri, and Hocquenghem (BCH) codes and Reed 
Solomon codes in frequency domain have proven to be more efficient in terms of 
computational complexity and error free recovery as compared to its analogous 
time domain decoding techniques m ■ Contemplating the same, analysis of cryp¬ 
tographic primitives in transform domains has also produced promising results. 
Though very less known in public literature, DFT based spectral attacks m 
and transform domain analysis of DES cipher components ilS] are interesting 
examples in this regard. 

In this report, analysis of LFSR based sequence generators in time and fre¬ 
quency domains has been presented. Starting form time and frequency domain 
analysis of basic LFSR sequences, we build our analysis onto filter and combiner 
generators. In Section-2, basics of Fourier transform over finite fields is recalled. 
Section-3 delineates the time and frequency domain analysis of LFSRs. Section-4 
describes transform domain analysis of a simple product sequence which is fun¬ 
damental component of non-linear boolean functions. A novel account of Chinese 
Remainder Theorem (CRT) based interpretation of fixed patterns in cyclic struc¬ 
tures of underlying finite fields is discussed in this section. In Section-5, time and 
frequency domain analysis of non-linear filter generators is given with a perspec¬ 
tive of their application in cryptographic algorithms. Specific comments about 
selective DFT attacks on filter generators [19] are specifically made in this sec¬ 
tion. Section-6 discusses transform domain analysis of combiner generators and 
application of selective DFT attacks on combiner generators by exploiting mod¬ 
ular computations of CRT alongwith detailed complexity comparison in relation 
to classical divide and conquer attacks. In Section-7 discussion on applicability 
of discrete fourier spectra attacks on A5/1 algorithm is made. The report is 
finally concluded in section-8. 


2 Frequency Domain Representation over Finite Fields 

Discrete Fourier Transform (DFT) is considered one of the most important dis¬ 
covery in the area of signal processing. DFT presents us with an alternate math¬ 
ematical tool that allows us to examine the frequency domain behaviour of sig¬ 
nals, often revealing important information not apparent in time domain. DFT 
Sk of an n-point sequence s,; is expressed in terms of inner product between the 
sequence and set of complex discrete frequency exponentials: 
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n —1 

= k = 0,1,2,. ,n- 1 (1) 

2=0 

The term e ~j 2mk / n represents discrete set of exponentials. Alternatively, e - - j27r / ra 
can be viewed as n th root of unity. 

Analogous to the classical DFT, a DFT for a periodic signal s t with period 
n defined over a finite field GF( 2 m ) is represented as 

n— 1 

S k = J2 Sta ~ tk ' k = °’ 1 > 2 >.( 2 ) 

t=o 

where S*, is fc-th frequency component of DFT and a is the primitive element; 
generator of GF( 2 m ) with period n [23]. For Inverse DFT, we will have a relation 

n —1 

s t = J2 Skatk > k = 0,1, 2,., n — 1 (3) 

fc =0 

Similarly for polynomials, we have a relation for DFT and IDFT. Having 
a correspondence between a minimum polynomial and its associated sequence 
s t with s(x) = XXE s t xt an d S( x ) = Efc=o $kX k , following relation holds for 
DFT US]: 

S k = s(a~ k ), k = 0,1,2,. ,n- 1 (4) 

and similarly for IDFT: 

s t = S(a t ), t = 0,1,2,. ,n-l (5) 

3 Transformed Domain Analysis of LFSR Sequences 

Classical theory on LFSR sequences and their applications in cryptology can be 
found in [16], [lh and [27]. In this section, transformed domain analysis of 
LFSRs, their sequences and underlying algebraic structures are recalled as they 
are fundamental to our proposed approach on filter and combiner generators. 

3.1 Time Domain Representation of an LFSR Sequence 

A binary sequence St can be treated as an LFSR sequence of degree m if it 
follows a linear recursion with coefRcents from GF( 2) as: 

m— 1 

Si-\-m — E c k Si+k for i > 0 (6) 

k =o 

The value m is called the order of recurrence and associated characteristic poly¬ 
nomial in GF{ 2) is defined by 

771—1 

f(x) =x m +^2, c k s i+ k for * > 0 

k—0 


( 7 ) 
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The initial state (so, Si,s m _i) of an LFSR serves as a key to generate 
the complete sequence St . The period of any non-zero sequence can be ut¬ 
most 2 m — 1 which is in relation to the characteristic polynomial f(x) of the 
LFSR. If f(x) is irreducible, it has m distint roots i.e. a and its conjugate set 
{a, a 2 , a 4 ,a 2 }. Consequently, if f(x) is a primitive polynomial, then or¬ 
der of its root a must be 2 m — 1 which in other words is a period of associated 
sequence s t . Thus a sequence s t of an LFSR given by a primitive polynomial has 
maximum possible period 2 m — 1 and is called m-sequence. 

Trace Representation of an LFSR Sequence. The same sequence s t 
can also be expressed in terms of its trace representation [241 : a linear operator 
from GF(2 m ) to its subfiled GF( 2) . Let Tr™(x) = YIT-o ^ t ^ ie trace 
mapping from GF{ 2 m ) to GF{ 2), then to sequence s t can be represented as: 

s t = Tr™{pa t ) (8) 

where a is a generator of a cyclic group GF(2 m )* and is called as primitive 
element of GF( 2 m ). Note that /3 £ GF(2 m ) and each of its nonzero value corre¬ 
sponds to cyclic shift of the TO-sequence generated by an LFSR with primitive 
polynomial f(x). Importance of this interpretation of m-sequence is that differ¬ 
ent sequences constructed from root a of primitive polynomial f(x) are cyclic 
shifts of the same m-sequence. The associated linear space G(f) of dimension m 
contains 2 m different binary sequences including all Os sequence as: 

G(f) = { r i s | 0 < i < 2 m — 2 } 1J{0} (9) 

where r is a left shift operator and represents a linear transformation of sequence 
St- It is important to mention here that all sequences in G(f), defined over a 
primitive polynomial /( x), have maximum period r i.e. 2 m — 1 with an obvious 
exception of all Os sequence. Moreover, any two sequences s and u within G(f) 
are cyclic shift equilvalent, if there exists an integer k such that 

Ui = s i+k , V i > 0. (10) 

LFSR Sequence in Matrix Form. Each state of an m stage LFSR is a 
vector in the m-dimensional space GF( 2 m ). The shift register is then a linear 
operator that changes the current state to its successor vector according to the 
feedback. In simple terms, the transformation of each non-zero sequence in a field, 
from state (sfc, Sfc+i,...., Sfc+ m _i) to its successor state (sfc+i, Sk+ 2 , ••••, Sk+ m ) can 
be regarded as a linear operation on GF(2 m ). The advantage of working with 
operator operating on to— dimensional vector space is that it affords a matrix 
representation. Since, 


S m +k — CQSk + CiSfe+i + ... + Cm—l'S/c+m—15 k ^ 0* 


(ii) 


hence a shift register matrix takes the form: 


Transform Domain Analysis of Sequences 


5 


'000 

... 0 

Co 

1 0 0 

... 0 

Cl 

0 1 0 

... 0 

C2 

000 

... 1 

Cm—1 


and 

Sk-\-2i -) Sk+m') (^/c, - i Sk+m—l^T 

— Ski - 1 Sk-l-i-m—l)-^ 1 

= (s 0 , Si,...., s m -i)T k+1 

The matrix T is called the state matrix of the LFSR in time domain. Note 
that det(T) = (— l) m Co- Thus T is invertible if and only if co ^ 0. 

3.2 Frequency Domain Representation of an LFSR Sequence 

From ([21), DFT of an LFSR sequence a t defined over a primitive polynomial f{x) 
produces a Fourier spectrum sequence Ak . For completeness, few important facts 
are reproduced here from [5J and [21] with some novel observations as well: 

1. The zero components in the Fourier spectrum of a sequence over GF(2 m ) 
are related to the roots of a polynomial of that sequence. For example, DFT 
of an LFSR sequence with feedback polynomial f(x) = x 3 +a:+ 1 initialized 
with state 001 is 0, 0,0, a 4 5 6 , 0, a 2 , a. As roots of f{x) are a alongwith its 
conjugates i.e. a 2 and a 4 , so first, second and fourth spectral components 
are zero. 

2. As DFT of a time domain signal comprises of a fundamental frequency and 
its harmonics, DFT of an LFSR sequence based on a minimal polynomial 
with no multiple roots also comprises of a 1 G GF{2 m ) and its harmonics 
a ij modr e GF(2 m ) with 0 < i < r - 1. This harmonic pattern can be 
efficiently exploited in cryptanalysis attacks on LFSR based sequence gen¬ 
erators. 

3. All DFT components of an LFSR sequence G GF(2 m ). 

4. indices of non zero DFT points for LFSR with minimum polynomial and 
no multiple roots also follow a fixed pattern. If fc-th component of spectral 
sequence is non zero then all (2 J k) mod r components will be harmonics of 
the fc-th component where 1 < j < m — 1. 

5. DFT of an LFSR sequence based on a polynomial with multiple roots does 
not contain harmonic pattern of elements. 

6. The Linear Complexity L of an n-periodic sequence is equal to Hamming 
weight of its frequency domain associate. Three non zero spectral compo¬ 
nents in example above verifies this fact. 
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7. Time Shift Property. Let two sequences related by a time shift ut = St+ T , 
their DFTs Uk and Sk are related as: 

U k = a kT S k , A: = 0,1 ,n — 1 (12) 

8. indices of non-zero spectral points of an LFSR sequence does not change 
with the shift in LFSR sequence. A non-zero fc-th component of DFT of an 
LFSR sequence will always be non-zero. Any shift in LFSR sequence will 
only change the value at this component by m ■ Converse is also true for 
zero spectral points of an LFSR sequence which will always be zero no matter 
how much sequence is shifted. 

9. Trace Representation of an LFSR sequence in Frequency Domain. 

A binary sequence St can be represented in terms of trace function with 
spectral componenets as follows:- 

st = ^2 Tr™ 3 t = 0,1 ,n - 1 (13) 

jer(n) 

where is a trace function from F^m to iy, Aj £ F%m and F(n) is a set 

of cyclotomic coset leaders modulo n. 

10. Matrix Representation in Frequency Domain. DFT of s t , being a 
linear operator with respect to a £ GF( 2 m ) from equation [2 can be written 
in matrix form as: 


(So, Si, S 2 , S n -i) T — D(so, si, s 2 ,..., s n -i) T (14) 

where 


T 

1 

1 

1 

1 

a 

a 2 . 

. q"" 1 

1 

a 2 

a 2 - 2 . 

. a 2 ^" 1 ) 

1 

a 71 - 1 

a 2(n-l) _ 

. ay- 1 !™- 1 ) 


4 Transform Domain Analysis of a Product Sequence 

In this section, transform domain analysis of a product sequence generated 
through multiplication of two LFSR sequences is presented. This analysis forms 
the basis for the combiner and filter generators that will appear in subsequent 
sections. The spectral domain features discussed in Section-3.2 hold true for 
product sequences as well. In addition, a linear structure existing in the fre¬ 
quency domain representation of the product sequence is presented which ren¬ 
ders itself useful for cryptanalysis of LFSR based sequence generators. The initial 
state of an LFSR has direct relevance to the element fj £ GF(2 m ) in © which 
has been extensively exploited in algebraic and DFT based spectra attacks [T5]. 
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Akin to this, there exists another plienemenon which has one to one correspon¬ 
dence with initial states of LFSRs within a linear space G(/) containing cyclic 
shifts of to sequences. These cyclic shifts in LFSRs sequences and their corre¬ 
spondence to maximum period r posseses certain fixed patterns which exhibit 
linear behaviour even when employed in nonlinear combiner generators. We have 
observed that CRT interprets the shifts in LFSRs sequences and is considered 
as our major contribution to classical theory of LFSRs and sequence generators. 
As the product of two LFSR sequences is a building block of any non linear 
boolean function, the idea has been discussed by considering a simple case of 
two to sequences multiplied togather. The process has been generalized through 
mathematical rationale later in this subsection where CRT based interpretaion 
of shifts in LFSRs sequences has been discussed. 


4.1 Time Domain Analysis of a Product Sequence 

We build our analysis by starting with a simple case of multiplication of output 
sequences of two LFSRs and illustrate our novel observations on fixed structures 
existing in the frequency domian representation of product sequences. The ob¬ 
servations of this special case will be generalized to a sequence generator in the 
next section. 

Let St be a key stream generated by multiplying the two LFSRs sequences 
at and b t defined as 

s t = f(a t ,b t ) (15) 

where /(.) is a nonlinear function representing a term wise product. If period of 
at is tt and bt is r%, we have 

St = at . hi with 0 < i < r (16) 

where r = 1cm (ri,^). The linear complexity L of the sequence St in this case 
satisfies 

L{s t ) < L(a t )L(b t ) (17) 

where L denotes linear complexity of a sequence and the equality in 03 holds 
only iff associated polynomials of at and bt are primitive and are greater than 

2 IIS- 


Fixed Patterns in Cyclic Structures of LFSRs It has been observed that 
there exists a specific relationship between the amount in shifts of product se¬ 
quence St, period of individual LFSRs and shifts from their refernce initial states. 
We generalize the process by giving its mathematical rationale followed by de¬ 
tailed discussion through a small example. CRT allows mathematical represen¬ 
tation of relationship observed between the shifts in individual LFSRs, their 
corresponding periods and overall impact on product sequence St- We have a 
important theorem here. 
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Theorem 1. Let St £ GF(2 m ) be a reference product sequence with period n 
having two constituent LFSRs defined over primitive polynomials with individual 
periods n\ and n 2 . With different shifts k± and k 2 in initials states of LFSRs, 
resulting output sequnece Ut is correlated to st by m where shift r is determined 
through CRT as 


t = k± (mod 77.1) 
r = k 2 (mod n 2 ) 

Proof. Within a cyclic group GF( 2 m ), associated linear space G(/) of dimension 
m contains 2 m — 1 non-zero binary sequences by ©■ 

As St and Ut both £ GF( 2 m ), they are shift equilvalents by (1101) with unknown 
shift value of r. 

The product sequnec St of at and b t can be expressed as 

Si = aj.b v (18) 


where 0 < i < n — 1 , 0 < j < n\ — 1 and 0 < v < ri 2 — 1. 

Remark 1. While contributing towards a product sequence of length n with two 
LFSRs, stream of LFSR-1 defined over GF(2 P ) with primitive polynomial and its 
maximum period 2^ — 1 is repeated times while LFSR-2 defined over GF(2 q ) 
with primitive polynomial as well and corresponding period 2 q — 1 is repeated 
82 where 


Si 

82 


lcm(m, n 2 ) 

ni 

lcm(ni,n 2 ) 

n 2 


and 


Remark 2. Within a sequence of period n for a product sequence, each value of 
index j corresponds to all values of index v if and only if gcd{n\,n 2 ) = 1. 


From Remarks [Tj and [2j any shift in LFSRs initial states will produce out¬ 
put corresponding to some fixed indices of j and v which already existed in the 
refernce sequence at some fixed place with initial states of LFSRs without shift. 


With known values of j and v i.e. £v.s, CRT will give us the value of r mod 
n as 

t = fci (mod ni) 
t = k 2 (mod n 2 ) 


□ 
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Example 1. Let we have a sequence St generated from product of two LFSRs 
having primitive polynomials of gi(x)x 2 +x +1 and g 2 (x)x 3 + x + l. The period 
n\ of stream a t corresponding to LFSR-1 is 3 and n 2 of b t corresponding vto 
LFSR-2 is 7. The period n of s t is 21. 

Table Q] demonstrates product of two m sequences generated from these two 
LFSRs. 


Table 1. Product sequence of 2 x LFSRs with m = 3 and 72,2 = 7 


Shift Index 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

a t 

01 

a 2 

<13 

ai 

«2 

a 3 

CLl 

U2 

a 3 

ai 

a 2 

a 3 

CLl 

CL2 

a 3 

ai 

a 2 

a 3 

CLl 

CL2 

a 3 

bt 

bi 

&2 

b 3 

bi 

&5 

be 

67 

bi 


b 3 

bi 

be 

be 

67 

bi 

b2 

b 3 

bi 

be 

be 

67 

St 

Sl 

S2 

S3 

S4 

S5 

56 

s 7 

S8 

59 

SlO 

Sll 

S12 

S13 

Sl4 

S15 

si6 

S17 

sis 

Sl9 

S20 

S21 


We analyze the impact of shift on LFSR sequences and their behaviour in 
cyclic stuctures of finite fields involved. We will shift the LFSR sequences one 
by one and observe the fixed patterns which can be exploited in cryptanalysis 
of the combiner generators. We can represent shifts in LFSRs sequences with k 
and l as 


st = CLi+k-h+i , with 0 < i <n- 1 (19) 

where k G [0,ni — 1] and l G [0,ri2 — 1]. Table [2] demonstrates the scenerio 
where at is left shifted by one bit while keeping the bt fixed with initial state of 

T. 


Table 2. Product sequence with at shifted left 


Shift Index 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

0 

1 

2 

3 

4 

5 

6 

at 

Cl2 

a 3 

01 

a 2 

a 3 

ai 

a 2 

a 3 

ai 

a 2 

a 3 

ai 

a 2 

a 3 

ai 

a 2 

03 

ai 

a 2 

a 3 

ai 

bt 

6l 

&2 

63 

bi 

be 

be 

67 

bi 

&2 

63 

bi 

be 

be 

67 

61 

b 2 

b 3 

bi 

be 

be 

67 

Ut 

S8 

s 9 

SlO 

Sll 

S12 

S13 

Sl4 

S15 

si6 

S17 

sis 

S19 

s 20 

S21 

Sl 

s 2 

S3 

S4 

s 5 

se 

S7 


Comparison of Table Q] with Table [2] reveals that shifting one bit left of at 
and fixing the bt to reference initial state of T’ shifts s* by seven units left. 
Similarly, shifting another bit of at to left, brings <23 corresponding to b\ which 
can be located in Table |T] at shift position 14. So two left shifts of at shifts s t 
by 14 units left with reference to bit positions in Table [TJ Now we analyze the 
impact of left shift of b t on s t . Table [3] demonstrates the scenerio where b t is left 
shifted by one bit while keeping the at fixed with initial state of T’. 
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Table 3. Product sequence with bt shifted left 


Shift Index 

15 

16 

17 

18 

19 

20 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

a t 

ai 

a 2 

03 

01 

02 

03 

Ol 

02 

03 

Ol 

02 

03 

Ol 

02 

03 

Ol 

02 

03 

Ol 

02 

03 

bt 


63 

64 

65 

be 

67 

bi 


&3 

bi 

&5 

be 

bj 

bi 


b 3 

64 

65 

be 

67 

6l 

Ut 

si6 

S17 

sis 

Sl9 

S20 

S21 

Sl 

S2 

S3 

S4 

S5 

se 

s 7 

S8 

S9 

SlO 

Sll 

S12 

S13 

Sl4 

Sl5 


It can be easily seen that one left shift in bt shifts s t by 15 units where 62 
is corresponding to a±. Similarly, another left shift in b t shifts St by another 15 
units bringing the 63 corresponding to a\. Subsequently, three left shifts in b t 
with reference to initial state of T’ brings 64 corresponding to a\ which is at shift 
index-3 in Table [lj Similar fixed patterns can be observed for simultaneous shifts 
of LFSRs and it will be discussed with more detail in following paragraphs. 

Let us model this fixed patterns in LFSRs cyclic structures and shifts in intial 
states of LFSRs through CRT as 


x = k (mod ni) 
x = l (mod 712 ) 

where k and l denote the amount of shifts in initial state of individual LFSRs 
with reference to initial state of T’. The solution of CRT i.e. x(mod r) gives the 
amount of shift in St with reference to ut as depicted in m- Consider a scenerio 
again where at is shifted left by one bit and b t is fixed with initial state of T’ 
and can be expressed as 

x = 1 (mod 3) 
x = 0 (mod 7) 

The CRT gives the solution of 7(mod 21) which is index position of 02 corre¬ 
sponding to bi in Table [l] shifting the product sequence St by seven units left. 
Consider another scenerio of simultaneous shifts in both LFSRs sequences where 
at is shifted left by one bit and bt is shifted left by 3 bits with reference to their 
initial states of T’ and can be expressed as 

x = 1 (mod 3) 
x = 3 (mod 7) 

The CRT gives value of —11 which is 10 (mod 21), representing the product 
sequence ut as 10 units left shifted version of s t - This value matches to index 
position of 64 corersponding to ci 2 in Table [1] 

Our Observations related to direct correspondence of shift index with ini¬ 
tial states of LFSRs and CRT calculations done modulo periods of individual 
LFSRs are valid for any number of LFSRs in different configurations of nonlin¬ 
ear sequence generators. These observations on classical theory of LFSR cyclic 
structures with their CRT based interpretation are considered significant for 
cryptanalysis. 
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4.2 Frequency Domain Analysis of a Product Sequence 

To compute the DFT of the sequence s t using equation m, we need to know 
the minimium polynomial for s t £ GF(2 m ) which can be efficiently determined 
through Berlekamp-Massey algorithm. It was demonstrated in last subsection 
that a linear structure exists in the spectral representation of component se¬ 
quences at and bt which propagates further in the DFT spectra of product 
sequence St . Few interesting results are presented here duly illustrated by an 
example: 

1. Zero and non-zero positions of the DFT Spectra of St can be determined even 
without knowing the minimum polynomial for St £ GF(2 m ) while working 
in the lower order associated fields of a t £ GF(2 P ) and b t £ GF{2 q ), where 
p & q < m. Any fc-th component of DFT spectra of s* is non-zero if and only 
if Ak and Bk are both non zero, where Ak and Bk represents DFTs of at 
and bt respectively. 

2. With known non-zero DFT points for at and bt, Chinese Remainder Theorem 
(CRT) can be used to determine non zero points of DFT spectra of s t directly. 
With rii and 77.2 be the individual periods for at and b t respectively, we can 
apply CRT as: 

x = ki (mod ni) 
x = At 2 (mod 712 ) 

where k± and &2 are non zero index positions of Ak and Bk respectively and 
x is the position of non-zero componenet of DFT spectra of St within its 
period n. 

3. DFT of a product sequence with minimal polynomial having no multiple 
roots follows a harmonic structure of its elements with a 1 € GF(2 m ) and 
its harmonics cc* Jmoc ^ n £ GF(2 m ) with 0 < i < n — 1, appearing in DFT 
spectrum. 

4. Non-zero indices of DFT sequences also follow a fixed pattern. A k-th non¬ 
zero component has its harmonics at all (2 °k) mod n points with 1 < j < 
n — 1. 

5. Shifting of any component sequence at or bt will impact the spectral com¬ 
ponents of resulting sequence St by m- 

6. The zero components in the fourier transform of a product sequence St de¬ 
fined over over GF(2 m ) are related to roots of its minimum polynomial g^x). 

7. Consider two LFSR sequences a t £ GF{2 P ) and b t £ GF(2 q ) being compo¬ 
nents of a product sequence, their spectral components as Ak and Bk respec¬ 
tively with 0 < k < N — 1. While working in base fields, can we determine 
their corresponding frequency components of product stream z t £ GF{ 2 m )?. 
Our results on this problem are being published somewhere else shortly. 

Example 2. Consider a product sequence St generated from two LFSRs with 
minimum polynomials g\ (x) = x 3 + x + 1 and g 2 (x) = x 2 + x + 1. 
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1. In time domain representation, we have following sequences. 
Sequence a*: Oil 
Sequence b t : 0010111 

Sequence s t : 001011000001010010011101110111011101 


(of period 3) 
(of period 7) 
(of period 21 ) 


2. From ©, frequency domain representations of these sequences are: 


(a) 

(b) 

(c) 


-A* = 0,1,1 

Bk = 0,0,0, a 4 ,0 , a 2 , a 


To compute Sk, associated minimum polynomial is determined through 
Berlekamp-Massey algorithm which is g{x) = x 6 + x 4 + x 2 + x + 1. 

S k = 0,0,0, 0,0, a 9 ,0,0, 0,0, a 18 ,0, 0, a 15 , 0,0, 0, a 18 ,0, a 9 , a 15 

3. Following is to be notified here:- 

(a) Non-zero DFT points in Sk clearly follow a linear behaviour as of time 
domain representation where any k -th component is non-zero if and only 
if Ak and Bk are both non-zero. CRT can be directly used to determine 
these non-zero points. 

Harmonic pattern of DFT spectra are visible for Ak , Bk and Sk ■ 
Non-zero indices of DFT sequences also follow a fixed pattern. In case 
of Sk, non zero DFT element at index 5 has its harmonics at indices 
10, 20, 19 (40 mod 21), 17 (80 mod 21) and at 13 (160 mod 21). 

If we shift bt by one bit to left, resulting sequences in frequency domain 
will hold shift property of equation ( 1 T 21 ) . 

Ak = 0 , 1,1 

Bk = 0 , 0 , 0 , a, 0 , a 4 , a 2 


(b) 

(c) 


(d) 
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Sk = 0 , 0 , 0 , 0 , 0 , a 18 , 0 , 0 , 0 , 0 , a 15 , 0 , 0 , a 9 , 0 , 0 , 0 , a 
(e) The zero components in the fourier transform of a product sequence s t 
defined over GF{ 2 m ) are related to roots of g^x) = x 6 + x 4 + x 2 + x + 1. 
As roots of g(x) are a alongwith its conjugates i.e. a 2 , a 4 , a 8 and a 16 so 
first, second, fourth, eigth and sixteenth spectral components are zero. 


The patterns observed in during time and frequency domain analysis of prod¬ 
uct sequences will be applied to LFSR based sequence generators in the fol¬ 
lowing sections. LFSR based sequence generators can be broadly divided in to 
three main classes; non-linear filter generators, non-linear combiner generators 
and clock controlled generators with few variants of shrinking generators [9]. 
Transform domain anlysis of filter and combiner generators will be presented in 
following sections. 


5 Transformed Domain Analysis of Filter Generators 

The nonlinear filter generator consists of a single LFSR which is filtered by 
a nonlinear boolean function / and is called as filtering function. In a filter 
generator, the LFSR feedback polynomial, the filtering function and the tapping 
sequence are usually publicly known. The secret parameter is the initial state of 
the LFSR which is derived from the secret key of the cipher by a key-loading 
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algorithm. Therefore, most attacks on filter generators consist of recovering the 
LFSR initial state from the knowledge of some bits of the sequence produced by 
the generator (in a known plaintext attack), or of some bits of the ciphertext 
sequence (in a ciphertext only attack). 


5.1 Time Domain Analysis of Filter Generators 

Let St be an m-sequence with maximum period 2 m — 1 generated from an LFSR 
whose length is m, then Zt is the output sequence of a filter generator 

zt = f(s 0 ,s 1 ,s 2 , ., St- i) Vt > 0; (20) 

where so are inputs of nonlinear function / coressponding to taps of an LFSR 
as shown in Figure below. 


LFSR 



Fig. 1. A Simple Filter Generator 


In order to obtain a keystream sequence having good cryptographic prop¬ 
erties, the filtering function / should be balanced (i.e., its output should be 
uniformly distributed), should have large algebraic degree with large correlation 
and algebraic immunity. 

Now we present few important facts related to design parameters of filter 
generators in time domain [9]: 

1. The period of output stream z t is 2 m — 1 where m is degree of feedback 
polynomial of LFSR which is primitive in most cases. The requirement of 
long period is a direct consequence of shift property of m-sequences as defined 
in m within a linear space G(/). 
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2. The output sequence of a filter generator zt is a linear recurring sequence 
whose linear complexity L(z) is related to length of LFSR and algebraic 
degree of nonlinear filtering function /. For any LFSR defined over GF(2) 
with primitive feedback polynomial, an upper bound of linear span is 

d 

£(*)<£(<) ( 21 ) 

i=1 

where d is the degree of filtering function / and l is length of LFSR. Thus 
for a higher L in sequence generator designs, d and l are chosen to be as 
high as possible. 

3. LFSR feedback polynomial should not be sparse. 

4. The tapping sequence should be such that the memory size (corresponding 
to the largest gap between the two taps) is large and preferably close to its 
maximum possible value. This resists the generalized inversion attack [5] 
which exploits the memory size. 

5. If the LFSR tabs are equally spaced, then the lower bounds of linear com¬ 
plexity will be 

L{z) > Q ( 22 ) 

6 . The boolean function used as a filtering function must satisfy following cri¬ 
teria to be called as good cryptographic function. For details, readers may 
refer to [12] . 

(a) The boolean function should have high algebraic degree. A high algebraic 
degree increases the linear complexity of the generated sequence. 

(b) It should have high correlation immunity which is defined as measure 
of degree to which its output bits are correlated to subset of its input 
bits. High correlation immunity forces the attacker to consider several 
input variables jointly and thus decreases the vulnerability of divide-and- 
conquer attacks. 

(c) It should have high non-linearity which is related to its minimum distance 
from all affine functions. A high nonlinearity gives a weaker correlation 
between the input and output variables. This criteria is in relation to lin¬ 
ear cryptanalysis, best affine appproximation attacks, and low order ap¬ 
proximation attacks. Moreover, high non-linearity resists the correlation 
and fast correlation attacks [22] by making the involved computations 
infeasible. 

(d) The recent developements in cryptanalysis attacks introduced the most 
significant cryptographic criteria for boolean functions termed as alge¬ 
braic immunity. There should not be a low degree function g for / which 
satisfies f * g = 0 or (/ + 1) * g = 0. Algebraic immunity is defined as 
minimum degree function g for any bollean function / satisfying the said 
criteria. Attacks exploiting this weakness in boolean functions are called 
algebraic Era and fast algebraic attacks m , 0- 

(e) A more recent attack on filter generators [25] exploiting the underlying 
algebraic theory suggests an updated estimate of degree of non linear 
boolean functions to resist the new kind of attack on filter generators. 
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5.2 Frequency Domain Analysis of Filter Generators 

This section provides DFT based analysis of filter generators which has been 
known in public domain for few years. Few additonal results of our frequency 
domian analysis has also been included here. 

1. Irrespective of time domain requirement of a long period for a filter genera¬ 
tor, DFT simplifies the associated high computational problem to any fc-th 
component of Fourier spectra through the relation 

« T = (Zk.A^ 1 (23) 

where r determines the exact amount of shift between at and Zt and k is 
index of any one component of DFT spectra. 

2. To obtain specific component of Fourier spectra and limit the computational 
complexity within affordable bounds, Fast Discrete Fourier spectra attacks 

19 ; propose an idea of selecting a suitable filter polynomial q(x), an LTI 
system, to pass only specific spectral points and restrict all others which are 
nulled to zero. To illustrate, we mention an important lemma here without 
proof. 

Lemma 1. Let q(x) be a polynomial defined over GF( 2) with period r as 
q(x) = YH=o Ci X l - We apply St to LTI system having a function q(x) and Zt 
is the output sequence. By theory of LTI system resposne to any arbitrary 
signal and convolution in time domain, we have 

r 

z t = ^2ciS i+ t t = 0, 1 (24) 

2=0 

Converting the relation into frequnecy domain, we get 

Z k = q(a k )S k fc = 0,l,...,n-l (25) 

where q(u k ) is infact Q k ; a way of interpreting DFT in terms of polynomials. 

3. Selection of polynomial q{x) as a filter function is discussed at length in [17] . 
To summarize, steps of computations are 

(a) Computing minimum polynomial g{x) of output stream Zt by generating 
a refernce sequence at which infact is a shifted version of Zt- 

(b) Selecting k amongst the coset leaders such that gcd (fc,n) = 1 and 
g(a k ) = 0. 

(c) Computing fc-decimated sequence of reference stream at as c* = a k t- 

(d) Using Berlekamp-Massey algorithm, computing minimum polynomial 
9k{ x). 

(e) Computing q[x) through a relation 


q{x) 


g( x ) 

gk(x) 


( 26 ) 
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4. Selection of q{x ) can be done by direct factorization of minimum polynomail 

g(x)- 

5. The DFT over binary fields can be computed for a filter generator without 
requiring entire sequence. Authors in m have provided detailed algorithm 
for computing DFT for sequences with fewer bits (equal to linear span of that 
sequence or even lesser) as compared to the total period of the sequence, we 
also propose an alternate approach to select q(x) in the next section dealing 
with the combiner generators. 

6 . The consequence of Fast Discrete Fourier Spectra attacks on sequence gen¬ 
erators introduced a new design criterion of spectral immunity. This criteria 
implies that in order to resist the selective DFT attack, the minimal polyno¬ 
mial of an output sequence of an LFSR based key stream generator should 
be irreducible. 

7. Recent studies have shown that low spectral weight annihilators are essential 
for Fast Discrete Fourier Spectra attacks [29]. 

6 Transformed Domain Analysis of Combiner Generators 

A combiner generator consists of number of LFSRs which are combined by a 
nonlinear Boolean function. The Boolean function / is called the combining 
function and its output is the keystream. The Boolean function / must have 
high algebraic degree, high nonlinearity and preferably a high order of correlation 
immunity. 


6.1 Time Domain Analysis of Combiner Generators 

Consider a combiner generator consisting of l LFSRs as shown in Figure 16.11 



Fig. 2. A Simple Combiner Generator 


We denote the output sequence of the i-th LFSR as a 1 , its minimal polynomial 
gi(x ) and its length where i = 1,2,..., 1. We will assume here that all r^s are 
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mutually coprime which is generally the case for the combiner generators. Let 
f(aj , a 2 , a \) be a non linear function where / : GF(2 l ) —> GF{ 2) takes input 
from l LFSRs and produces the key stream Zt as 

zt = (27) 

The criteria for selecting LFSRs and boolean function in a combiner generator 
are mostly similar to filter generators. However, few additions/differences related 
to design parameters are as follows: 

1. Contrary to filter generators where a single LFSR with larger length is used, 
combiner generator employs multiple LFSRs with comparatively smaller 
lengths. The requirement of primitive polynomials as feedback polynomi¬ 
als stays as such for each LFSR. 

2. The period of output keystream becomes /cm(ri,r 2 , ...,r;). 

3. Since the combining function involves both Xoring and multiplication oper¬ 
ation, few properties of linear complexities are reproduced here from [7], ESI 
and m- Considering linear complexities of LFSR sequences a*, a* a\ as 
Li,L 2 , ...., and Lf. 

(a) the linear complexity of the sequence s t = (aj + a 2 ) satisfies 

L(s t ) < L(al) + L(a 2 t ), (28) 

the equality holds if and only if the minimal polynomials of a] and a 2 
are relatively prime. 

(b) From ijTTl) . the linear complexity of the sequence s t = ( a}.a 2 ) satisfies 

L(st) < L(a\).L{a 2 ) (29) 

(c) The linear complexity of z t = /(aj, a 2 a\) satisfies 

L(z t ) = f(L 1 ,L 2 , . ,L t ) (30) 

4. The novel observations regarding fixed patterns of LFSRs, cyclic structures 
existing in finite fields and their interpretation through CRT imply that 
index of observed keystream bits in any reference stream directly reveals the 
initial state of all LFSRs. CRT based interpretation of LFSR sequences in 
relation to their periods thus reiterates the requirement of long period for 
sequences of combiner generators. 


6.2 Frequency Domain Analysis of Combiner Generators 

In this section, frequency domain analysis of combiner generators is presented, 
the application of selective DFT attacks on combiner generators is discussed in 
detail with some novel observations. Developing on the theory of selective DFT 
attack, a new efficient methodology is proposed to identify the initial states of 
all LFSRs of combiner generators. 
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In section-4.2, the direct mapping of product sequence between time and 
frequency domains was demonstrated. Likewise, the Xoring operation existing in 
most of the boolean functions also demonstrates similar mapping. For application 
of boolean functions in combiner generators, following is important: 

1. For the product terms of a non-linear boolean function, a term of DFT 
spectra of the product stream is nonzero if and only if all the component 
DFT terms are nonzero. With known non-zero DFT points for aj , a 1 2 a\, 
CRT can be used to determine non zero points of DFT spectra of s t directly 
as: 


x = k\ (mod ri) 
x = (mod ) 


x = ki (rnodrj) 

where fci,fc 2 . fa denote non zero index positions of a \, a 2 ,...., a\ and x is 

the position of non-zero componenet of DFT spectra of St within its period 

r. 

2. For terms of a non-linear boolean function being Xored, any DFT spectra 
term will be nonzero for which number of nonzero component DFT terms 
are odd. 

Let us explain these facts through an example. 

Example 3. Consider a combiner generator consisting of 3 LFSRs with primitive 
polynomials as gi{x) = x 2 + x + 1 , g 2 (x) = x 3 * + x + 1 and g^ix) = x 5 + x 2 + 1 . 
The outputs of LFSRs in this case are m-sequences, denoted as a}, a 2 and a 3 
respectively. Output stream of the generator is denoted as Zt and a nonlinear 
function f(x ) is 

f(x) = a].a 2 + a 2 t .<4 + a . 1 .a? t 

where period of z t in this case becomes 651 as lcm(3, 7, 31) = 651. 

Mapping of operations is demonstrated in spectral domain using [2] as: 

1. DFT of individual LFSRs: 

(a) DFT of £4=0,1,1 

(b) DFT of a 2 : 0,0, 0, a 4 ,0, a 2 , a 

(c) DFT of af: only five non-zero DFT terms are at indices 15, 23, 27, 29 and 
30 with values a 29 , a 30 , a 15 , a 23 and a 27 respectively. 

2. DFT of product streams: 

(a) DFT of a\a 2 : Corresponding to minimum polynomial of x e + x^ + x 2 + 

x + 1 and period = 21 , six non-zero components are a 9 , a 18 , a 15 , a 18 , a 9 

and a 15 at indices 5,10,13,17,19 and 20. These indices can be easily 

determined while working in component fields of GF( 2 2 ) and GF( 2 3 ) by 

using CRT calculations as discussed in Section 4.2. 
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(b) DFT of a 1 2 a 3 : With minimum polynomial x 10 + a : 5 + x 4 + x 2 + 1 and 
period = 93, ten non-zero components are at indices 23, 29,46, 58, 61, 
77,85,89,91 and 92. 

(c) DFT of afa]: Similarly with minimum polynomial a : 15 + x 12 + a ; 10 + x 7 + 
x 6 +x 2 + 1 and period = 217, fifteen non-zero components are at indices 
27,54,61,89,108,122,139,153,178,185,201,209,213,215 and 216. 

(d) To verify the established facts, DFT of product of all three streams 
has also been analyzed. For a}a 2 a 3 having a minimum polynomial of 
a; 30 + x 25 + a; 24 + x 20 + x 19 + x 17 + x 46 + a; 13 + x 40 + a: 9 + x 8 + x 7 +a; 4 + x 2 +1 
with period = 651, thirty non-zero DFT components are at indices 
61,89,122,139,178,185,209,215,244,271,278,325,356,370,395,418,430, 
433,461,488,523,542,556,587,619,635,643,647,649 and 650. All these 
indices can be determined directly from knowing the individual DFTs of 
three LFSRs separately. For instance, 

x = 1 (mod 3) 
x = 3 (mod 7) 
x = 15 (mod 31) 

gives result of 325 which exists amongst thirty non-zero DFT computa¬ 
tions as well. 

3. To see impact of Xor operation in frequency domain, DFT of zt with min¬ 
imum polynomial a ; 31 + x 29 + a ; 28 + a ; 27 + a ; 24 + a ; 23 + a ; 22 + a ; 20 + a ; 18 + 
a ; 17 + a ; 16 + a ; 15 + a : 13 + x 44 + x 40 + x 9 + x 8 + x 7 + x 5 + x 4 + x 2 + x 1 + 1 
is computed. Results reveal that all indices where number of non-zero DFT 
terms for three product streams i.e. a 4 a 2 , a 2 a 3 and a 4 a 3 are odd, resulting 
DFT term is non-zero. For instance indices at 5, 10, 13, 17, 19 and 20 where 
only DFT of a 4 a 2 term is non-zero, resulting DFT for z t is also non-zero. 
Similar is the case for other indices. 


Selective DFT Attacks on Combiner Generators. In this subsection, pos- 
sibilty of extending selective DFT attack on combiner generators has been dis¬ 
cussed. The attack algorithm on non-linear filter generator has been explained 
in m and m- However, direct application of selective DFT attack on combiner 
generators has few limitations with regard to underlying design of these type of 
sequence generators. For simplicity, case of to = L(at) has been considered here 
where m is the number of known bits of key stream and at is the coordinated 
scaled sequence of key stream. 

1. As combiner generators entail multiple LFSRs, determination of element 
/3 G GF{ 2 m ) through coordinated scaled sequence doesnot lead to initial 
states of all LFSRs directly. 

2. In precomputation stage of the algorithm as discussed at length in m, k- 

decimation sequence of LFSR output sequence is computed followed by ap¬ 

plying Berlekamp-Massey algorithm on it to determine its associated minium 
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polynomial gk{x). With the help of this sequence c*, m x m circulant matrix 
is obtained as follows 


Co 

Cl 

c 2 

••• C m —2 C m — l 

Cl 

C2 

C3 

••• Cm—1 

Cm 

C2 

C3 

C 4 

... C m 

Cm+l 

_ Cm—1 

Cm 

Cm+l 

••• C2m—3 C2m—2_ 


3. In |19| . this matrix is termed as coefficient matrix H and gk{x) is minimum 
polynomial for a k where at is determined from ([5]) or through frequency 
component as: 


at = Tr” fc (Aka tk ) t = 0...n—l (31) 

k 

4. We propose another approach to compute gk{x) through factoring g(x). In 
this case, step involving Berlekamp-Massey algorithm on k- decimated se¬ 
quence will no longer be required. Setting up matrix M or H in this case is 
by direct initializing of corresponding LFSR from any random state. 

5. The output of selective DFT algorithm produces ft = a T . Using this value of 
r, left shift value for each LFSR sequence is determined by applying modular 
computations of CRT with respect to individual periods r»’s of LFSRs as: 

Ti = t (mod ri) 

T 2 = r (mod r 2 ) 


n = t (mod n) 

6 . Determine the initial state of each LFSR by applying individual shift values 
Tj’s to LFSRs sequences by using ([5]) within each field GF{ 2 m ) where 

Pi = a Ti 

K = Tr?0M) 

7. If r is directly applied to each LFSR, number of computations involved in 
shifting LFSR sequence is of the order to O(t). CRT based interpretation of 
LFSR shifts in initial states with respect to their periods save the last step 
computations of selective DFT attacks. 

Let us demonstrate these observations through an example. 

Example 4- Consider the same combiner generator as in Example [3] Suppose we 
have only 31 bits of keystream Zt = [1011110001111010111001011010111]. With 
a known structure of the generator, our attack will determine the initial state of 
three LFSRs as follows: 







Transform Domain Analysis of Sequences 


21 


1. Initially, possibility of success of selective DFT attack on given combiner gen¬ 
erator will be determined. Through Berlekamp-Massey algorithm, minimum 
polynomial g(x) of keystream zt will be computed. Applying factorization 
algorithm on g(x) gives its three factors as g\{x) = x 6 + x 4 + x 2 + x + 1 , 
92{x) = x w + x 5 +£ 4 + 2 2 + 1 and gz(x) = x 15 +x 12 + x w + x 7 + x 6 + x 2 + 1 . 
So the selective DFT attack on this combiner generator is possible. 

2. Generating a reference sequence at and decimating it with k = 58 with 
gcd(58, 651) = 1 produces a coefficient sequence c t = 011010101110. 

3. Applying Berlekamp-Massey algorithm on c* gives its associated minumum 
polynomial of gk{x) = x 6 + x 4 + x 2 + x + 1 . 

4. Circulant matrix will thus be of dimension 6 x 6 as: 


M = 


011010 
110101 
101010 
0 1 0 1 0 1 
101011 
010111 
101110 


5. From ([21]), filter polynomial q{x) = x 25 +x 22 +x w +x 17 +x 10 +x Q +x? +x 5 + 1. 

6 . The same results could be achieved from our observations as follows: 

(a) From DFTs of a\ , a 2 and o 8 while working in finite fields of GF( 2 3 ), 
GF( 2 3 ) and GF( 2 5 ), k = 58 can be directly calculated to be non-zero 
index for DFT of Zt- 

(b) Factorization done initially to check applicability of our selective DFT 
attacks already showed g\(x) = gk{x) as one of the factor. 

(c) We thus obtain the same q(x) as in step-5 above. 

7. Computations of selective DFT algorithm give the result of r = 19. 

8 . Finally, we can determine the left shift value in sequences for each LFSR by 
applying modular computations of CRT with respect to individual periods 
of LFSRs rj’s as 

n = 19 (mod 3) 
t 2 = 19 (mod 7) 
r; = 19 (mod 31) 

9. Having determined the exact shift value for each LFSR, their initial states 
will be computed by using ([HI) within each field GF(2 m ) where 


Pi = a Ti 
b\ = Tr^at) 


10. The initial fills of LFSRs with 1 left shifts in a), 5 left shifts in a 2 and 19 
left shifts in af gives: 
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Table 4 . Initial States of 3 LFSRs 



Initial State 

LFSR -1 

10 

LFSR -2 

101 

LFSR -3 

01111 


We are thus able to recover exactly the initials states of all the LFSRs through 
our novel approach of interpretting fixed patterns in LFSRs sequences through 
CRT. Although the proposed approach was demonstrated on an illustrative ex¬ 
ample, but it holds true for any configuration of combiner generators. The same 
was tested with different non-linear combiner functions as well as with different 
number of LFSRs. 

6.3 Complexity Comparisons 

Let us see the advantage of frequency domain analysis of LFSR based com¬ 
biner generator over its time domain analysis. We will discuss computational 
complexity in relation to most common attacks also. For a combiner sequence 
having period N with l number of constituent LFSRs, complexity of Exhaustive 
search is 2 mi+m2 +" +mi_1 where as for correlation attack complexity reduces to 
2 m i—i +2 m 2— 1 +... + 2 m,_1 . To compute the complexity in case of selcetive DFT 
attacks on combiner generators, calculations for preprocessing and actual attack 
stage are jl9y 

1. Preprocessing Stage. The computations during this stage are sum of follow¬ 
ing: 

(a) The complexity of computing minimum polynomial g(x) by applying 
Berlekamp-Massey algorithm on s* is 0(L log 2 {L)) Xor operations where 
L is linear complexity of s*. Incase of using a relation g(x) = Ilfce/ 9k(x), 
complexity is \I\[log 2 (L)} 3 . 

(b) The complexity of computing gu(x) is m log 2 (jn) 2 for each k. For k £ I 
with I representing set of coset leaders, complexity will be |/| [m ( log 2 to) 2 ] . 

(c) The complexity of computing g(a k ) is 0(N r](m) + m log 2 {N)) GF( 2) 
operations where r](m) = (to log m log log m) and N is the degree of 
polynomial g(x). 

2. Attack Stage. The complexity of this stage is sum of following: 

(a) Passing our sequence St from LTI filter q(x) is actually time convolution 
of q(x) and s t which costs O(L) GF(2) operations. 

(b) Last step of DFT spectra attack giving the output (3 is solving the system 
of linear equations over GF(2) in d unknowns which has the complexity of 
utmost 0(d w ), where w is Strassen’s reduction exponent w = log 2 (l) ~ 
2.807. 

(c) Determining left shift values for each LFSR through t* = r mod r,; 
and computing initial states of LFSRs are of order 0(1) each and are 
negligible, where l is number of LFSRs. 
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Having established the comparisons of complexities between exliasutive serach, 
correlation attack and selective DFT attack, let us map these to our example- 
3 above. Exahustive search costs utmost 2 2+3+5_1 = 2 9 « 0(512) GF( 2) 
computations. With Probabilities of P(z = a) = 6/8, P(z = b) = 6/8 and 
P(z = c) = 6/8, correlation attack largerly reduces the complexity to 2 2_1 + 
2 3-1 + 2 5-1 « 0(21) GF{ 2) operations. Incase of selective DFT attacks, com¬ 
plexity of preprocessing stage is 0(279) and of attack stage is 0(150) making 
total of 0(429) GF( 2) operations. Thus it can be clearly stated that after one 
time preprocessing computations of selective DFT attacks, complexity of actual 
attack stage with 0(150) is promisingly less as compared to exhastive search 
attack. However, correlation attacks and their faster variants are more efficient 
than DFT attacks in special scenerios where underlying combining function is 
not correlation immune. Incase of correlation immune combining functions, se¬ 
lective DFT attacks still provide propitious results and are advantageous over 
the correlation attacks. 

7 Applicability of Fast Discrete Fourier Spectra Attacks 
on A5/1 Algorithm 

In this section applicability of fast discrete fourier spectra attacks on A5/1 al¬ 
gorithm is discussed. For clarity of context description of algorithm structure is 
given first followed by discussion on possibility of selective DFT attacks on it. 

7.1 Description of A5/1 

A5/1 is a stream cipher built on a clock controlled combiner generator. Being a 
Global System for Mobile Communications (GSM) encryption algorithm, it has 
been intensively analyzed and is considered weak becuase of number of succesful 
attacks now. Details can be found in a, m , and M- The keystream generator 
consists of three LFSRs, Rl, R2 and R3 of lengths 19, 22 and 23 respectively as 
shown in figure-3. 

The taps of three LFSRs correspond to primitive polynomials x 19 + x 5 + x 2 + 
x + 1, x 22 + x 1 + 1 and x 23 + x 15 + x 2 + x + 1 and therefore, LFSRs produce 
maximum periods. The registers are clocked irregularly based on decision of a 
majority function having input of clocking bits 8, 10 and 10 of registers Rl. R2 
and R3 respectively. It is a type of stop and go clocking where those LFSRs are 
clocked whose most significant bit (msb) matches to output bit of the majority 
function. At each clock cycle either two or three registers are clocked, and that 
each register is moved with probability 3/4 and stops with probability 1/4. The 
running key of A5/1 is obtained by XORing of the output of the three LFSRs. 
The process of keystream generation is as follows:- 

1. Starting with key initialization phase, all LFSRs are initialized to zero first. 

64-bit session key K = (fco,..., k§z) and publically known 22-bit frame num¬ 
ber serve as initialization vector. In this phase all three registers are clocked 
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Fig. 3. Design of A 5/1 Algorithm 


regularly for 86 cycles during which the key bits followed by frame bits are 
xored with the least significant bits of all three registers consecutively. 

2. During second phase, the three registers are clocked for 100 additional cycles 
with the irregular clocking, but the output is discarded. 

3. Finally, the generator is clocked for 228 clock cycles with the irregular clock¬ 
ing producing the 228 bits that form the keystream. 114 of them are used 
to encrypt uplink traffic from A to B, while the remaining 114 bits are used 
to decrypt downlink traffic from B to A. A GSM conversation is sent as a 
sequence of frames, where one frame is sent every 4.6 ms and contains 114 
bits. Each frame conversation is encrypted by a new session key K. 


7.2 DFT Attacks on A5/1 

Applicablity of selective DFT attacks is preconditioned with following two sep¬ 
arate cases:- 

1. Case 1. If the minimal polynomial of output keystream Zt is reducible, algo¬ 
rithm 1 described in m is directly applicable. 

2. Case 2. If another sequence yt £ GF( 2") is determined such that Vt = 
Zt * Vt, where * is a term wise product, and L{vt) + L(y t ) < L{zt) and 
L(v t + yt) + L(y t ) < L{z t ), algorithm 2 described in [IS] is applicable on z t - 

Our analysis reveals that selective DFT attacks on A5/1 algorithm are not ap¬ 
plicable. Detailed results are being published at other forum shortly 


7.3 DFT Attacks on EO Cipher 

Selective DFT attacks on EO cipher are possible with modifications in equations 
derived in [3]. Our results on EO cipher are being published at some other forums 
shortly. 
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8 Conclusion 

In this report, we presented a transform domain analysis of LFSR based se¬ 
quence generators. The inherent peculiarities of the LFSR product sequences 
were evoked through novel patterns identified with the help of a CRT based 
approach. These findings were then extended to the filter generators and more 
particularly to the combiner generators. An effort was made to establish the 
mapping of different operations from time domain to frequency domain. Novel 
results on fixed shift patterns of LFSRs, their relationship to cyclic structures in 
finite fields and CRT based interpretation of these patterns have been exploited 
to reduce the computations required in the last stage of DFT spectral attacks 
attacks on combiner generators. Subsequent to the transform domain analysis 
of basic components of stream ciphers and discussion on applicability of fast 
discrete fourier attacks on A5/1 algorithm, DFT based analysis of combiners re¬ 
sistant to correlation attacks are considered as interesting cases for their analysis 
in frequency domain and some initial results have shown good promise in this 
regard. 
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